Introduction
On July 25, 2023, zkSync Era-based lending protocol EraLend announced a security incident. After a preliminary investigation, CertiK discovered that EraLend had been subjected to a read-only reentrancy attack, resulting in a total loss of approximately $2.7 million.
Summary of the Incident
EraLend suffered a read-only reentrancy attack on the zkSync mainnet. The attack was executed by the address 0xf1D07, and the attacker exploited the flash loan to manipulate EraLend's price oracle. EraLend uses Syncswap as its price oracle, which has a read-only reentrancy vulnerability. The attacker was able to destroy tokens and perform a callback before _updateReserves was called, causing the oracle to calculate prices based on outdated reserves.
Code under attack, from Syncswap Github
EraLend team has released a statement saying "the attack has been contained and the attackers are no longer able to continue their actions. The scope of the impact is currently being evaluated and will be further disclosed." Users are advised not to deposit USDC into EraLend at this time.
Asset Tracking
CertiK has traced the stolen funds to multiple EOA (Externally Owned Address) addresses controlled by the attackers, involving Ethereum, Arbitrum, and Optimism networks. Most of the funds have been consolidated into four wallets on the Ethereum network.
Wallet containing stolen funds
Regarding Reentrancy Attacks
Data for 2020:
Total loss amount: $62,936,849.00
Total number of reentrancy attacks: 6
Average loss per attack (USD): $10,489,474.83
Data for 2021:
Total loss amount: $67,924,596.28
Total number of reentrancy attacks: 7
Average loss per attack (USD): $9,703,513.75
Data for 2022:
Total loss amount: $18,403,869.53
Total number of reentrancy attacks: 8
Average loss per attack (USD): $2,300,483.69
Data for 2023:
Total loss amount: $14,121,542.00
Total number of reentrancy attacks: 7
Average loss per attack (USD): $2,017,363.14
Regarding ReentrancyLightning Loan Attacks: Growing Threat
In 2023, lightning loan attacks in the cryptocurrency and blockchain space are becoming increasingly worrisome. Compared to 101 attacks in 2022, there have been 128 incidents this year. These attacks exploit vulnerabilities in smart contracts to maximize profits.
Lightning loans allow users to borrow large amounts of funds without collateral, but the loan must be repaid within the same transaction. Attackers have abused this feature, resulting in a total loss of 255 million US dollars so far, with an average loss of about 2 million US dollars per incident.
Within the first three weeks of July, 22 attacks have occurred, resulting in a loss of 8.5 million US dollars. The average number of lightning loan attacks per month in 2023 is 18. July and February of 2023 each set a record of 22 attacks per month. This highlights the importance of understanding DeFi risks and building more secure smart contracts in the cryptocurrency space. Vigilance and prevention are necessary for safe navigation in this volatile field.
2023 Lightning Loan Attack Loss Amount (Monthly)
Attack Loss Amount from Lightning Loan in 2023 (Monthly)
Summary
EraLend is the second largest reentrancy attack incident occurred in July by CertiK. This month, a total loss of $6.4 million was incurred due to Lightning Loan attacks.
So far, there have been 3 reentrancy attacks in July. The total loss from reentrancy attacks in July amounts to $6.4 million, with an average attack loss of $2.1 million. As of 2023, there have been 7 reentrancy attacks, with a total loss of approximately $14.1 million, averaging $2 million per attack. It is worth noting that the data for this year only accounts for attacks and losses reported up to July, and there have been no reported attacks or losses for August to December. The total loss for 2023 may exceed the total loss of 2022 and even reach the level of 2021, as there are still 5 months remaining.
Understanding reentrancy attacks is crucial for anyone involved in blockchain and DeFi, in order to strengthen security practices and prevent financial losses. The number of Lightning Loan attacks in 2023 demonstrates the need for strong security measures and third-party audits. Please visit CertiK Skynet - Web 3 Security, Due Diligence, and Insights to help you understand the security risks behind the projects you wish to participate in.
